Can't access my website via https

If it came with the install, you might want to replace it.

Are you on a menu driven system or can you just edit the conf file manually?

edit the config manually
When I renew there is a command to increase to 4096

Try updating these two lines:

ssl_ciphers CHACHA20:ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;

ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:sect409r1:brainpoolP384r1:secp384r1;

Still get A+ but not 100% on key enchange and cipher strength
Will check your response tomorrow. Thanks you so much for your help.

I'm glad things went well.
But I don't understand this:

On OpenSSL 1.1.0
ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
returns:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA

But since you probably don't have an ECDSA cert, you can remove those lines.

ciphers CHACHA20:ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;
returns:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256

Again remove ECDSA lines if you don’t have that cert.

How are these lines weaker than your lines?

Unless the CHACHA20 at the top is causing the lower overall score.
Try it without it:

ciphers ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;

Anyway, good night for now.

Those bars to the right aren't supposed to be 100% and are going to be removed in a future update because they're so confusing.

If you have an A+ you don't need to worry.

If you wants to get 100% and A+ , try my thread in this forum..

(However it's going to block several older devices from connecting to your server. Be warned.)

Thank you

Thanks for the link it was interesting.

I think I'm going to go with your suggestion.

I don't know what a ECDSA cert is but appreciate your help you have been great.

What is the version of the command above that I can use to test the command in a script without running into the limit on the number of times I can run it?

certbot certonly --staging --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>
It still will have a rate limit, however I think it's big enough for mistakes. (Unless you put the script on cronjob)

Thank you

what is the limit for staging ?30,000

What will I see to know it staged correctly?

It will show similiar congratulations messages, it’s just a certificate that aren’t valid.(not signed by public CA)

The staging limits are here:
Certificate per domain: 30000 per week
Failed attempts: 60 per hour
Duplicate certificate: 30000 per week

Thank you

Is there an option to automate the initial certbot command so no user input is needed? Other command line options that I can use variables for?
certbot certonly --staging --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME}

There are lots; you should be able to find them via certbot --help. If you have a particular question that Certbot asks that you'd like to know a command-line equivalent for, please feel free to ask and we should be able to point you in the right direction.

certbot certonly --staging --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME} --agree-tos -m ${EMAIL_NAME}

What is the option for “Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.” You have to answer yes/no.

I believe --eff-email or --no-eff-email will choose yes or no, respectively.

2 Likes

Thanks I missed that when viewing the help.

when executing this command with ${HOST_NAME} being replaced with my domain from a script I get this error

Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /usr/local/etc/letsencrypt. You should
    make a secure backup of this folder now. This configuration
    directory will also contain certificates and private keys obtained
    by Certbot so making regular backups of this folder is ideal.

but when I run the command in certbot certonly --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME} --agree-tos -m ${EMAIL_NAME}
it works and I get the congraulations message.

Any idea on what's wrong?

Why are you using it twice?

As for the "Connection refused" to staging problem...
Can you connect to staging with curl or wget?

I followed this instruction, maybe I misunderstood it.
“Use the webroot setting for certbot to install the certificates
certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>”